Posted: . At: 9:58 AM. This was 4 years ago. Post ID: 14483
Page permalink. WordPress uses cookies, or tiny pieces of information stored on your computer, to verify who you are. There are cookies for logged in users and for commenters.
These cookies expire two weeks after they are set.


How to detect SSH connections on your machine.

by

It is possible to detect an established SSH connection from your machine to a remote server. The lsof command can view an SSH connection.

I am using SSH over port 443, so the connection is mixed up with a lot of other stuff that Firefox is connected to. But if I use grep and filter for the SSH connection, I can find it.

jason@jason-desktop:~/Videos$ lsof -i :443 | grep ssh
ssh     5272 jason    3u  IPv4  99884      0t0  TCP jason-desktop:49426->192.168.1.5:https (ESTABLISHED)

To get the TCP packets that are sent on beginning an SSH connection, use tcpdump like this.

1
2
3
4
5
6
7
8
9

jason@jason-desktop:~/Videos$ sudo tcpdump 'tcp[(tcp[12]>>2):4] = 0x5353482D'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s25, link-type EN10MB (Ethernet), capture size 262144 bytes
09:45:31.749134 IP jason-desktop.49584 > 192.168.1.5.https: Flags [P.], seq 2410466230:2410466271, ack 736001194, win 502, options [nop,nop,TS val 959057300 ecr 952037], length 41
09:45:31.848972 IP 192.168.1.5.https > jason-desktop.49584: Flags [P.], seq 1:43, ack 41, win 227, options [nop,nop,TS val 952137 ecr 959057300], length 42
^C
2 packets captured
2 packets received by filter
0 packets dropped by kernel

This is the banner response sent due to the SSH connection being initiated between two machines. This is not looking for a certain port, just certain network packets. This is how to see initiated SSH connections.

Of course, an encrypted network packet viewed in tcpdump looks like this and is not very useful unless it can be decrypted.

1
2
3
4
5
6
7
8
9
10

09:44:17.382119 IP 192.168.1.2.59318 > 104.16.59.249.443: Flags [P.], seq 2897944896:2897944989, ack 1995930347, win 9249, length 93
	0x0000:  4500 0085 a239 4000 4006 3286 c0a8 0102  E....9@.@.2.....
	0x0010:  6810 3bf9 e7b6 01bb acbb 2140 76f7 7aeb  h.;.......!@v.z.
	0x0020:  5018 2421 662b 0000 1703 0300 5805 3311  P.$!f+......X.3.
	0x0030:  7e11 f1c3 e253 8a23 df60 53b3 b302 3dd9  ~....S.#.`S...=.
	0x0040:  40ea fbe4 43fd 9569 e79d fce7 2a94 580c  @...C..i....*.X.
	0x0050:  ef79 9593 34a3 3d36 7d4b 7655 789c 22f7  .y..4.=6}KvUx.".
	0x0060:  d689 cd32 0a39 6920 c4e0 2827 7e97 6cd1  ...2.9i...('~.l.
	0x0070:  7b81 230e 508b 7c85 1b54 917c 0f53 bd68  {.#.P.|..T.|.S.h
	0x0080:  74c2 0edf 5d                             t...]

But the ability to see what connections are currently established, or in the process of being established is a very useful ability. This tip should really help you out when using a Linux machine on a network.


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.